The real Iranian threat: Cyberattacks

A cyberattack believed to be backed by Iran brought down 75% of the PCs at Saudi oil company Aramco.

Iran's quest for a nuclear weapon has been the subject of much debate this election season, but the presidential candidates rarely discuss the most imminent danger Iran poses to the United States: cyberwarfare.

The bank attacks were 10 to 20 times bigger than a typical denial of service attack, and doubled the previous record for traffic maliciously directed at a particular site, according to CrowdStrike, a security firm that investigated the attacks. The Aramco attack, set to go off on an Islamic holy night, unleashed a virus that destroyed about 30,000 corporate computers -- three-quarters of the company's PCs.

It's a show of muscle the United States and its allies are unaccustomed to seeing from Iran. Cyberespionage and online identity theft are common tactics of Russian mafiosos and Chinese hackers, but Iran is relatively new to this playing field. After a series of painful economic sanctions levied on the country by the United States and Europe, cybersecurity experts say they're not surprised that Iran is fighting back.

"Iran is trying to demonstrate that it has a capability to disrupt life in the West," said Roger Cressey, senior vice president at security consultancy Booz Allen Hamilton. "Its argument is: 'Whatever you in the West may do to us, know that it will not be a pain-free operation.'"

Attributing attacks to specific perpetrators is often difficult in cyberspace, where identities can be easily disguised. But there is mounting belief -- if not direct evidence -- that the Iranian government is at least supporting the attackers.

The State Department declined to comment for this article, but Defense Secretary Leon Panetta said at a cybersecurity event in New York last month that Iran has "undertaken a concerted effort to use cyberspace to its advantage."

Cybercrime experts largely agree that Iran hasn't yet demonstrated a capability to cause massive damage to the United States and its allies, as most believe Chinese or Russian attackers could.

But Iran has proven that its cyberattack abilities -- and its ambitions -- are expanding. Analysts note that even if Iran doesn't have advanced cyber capabilities of its own, experienced cybercriminals have been willing to contract their services to nation states in the past.

"What they've done so far is a high level annoyance, using weapons of mass disturbance," Cressey said. "As long as it's in that realm, we'll be fine. Does that mean they can't be more sophisticated? Of course not."

U.S. relations with Iran -- labeled a "terrorist state" by the federal government -- are currently far more tenuous than with any other country. The cyberdefense community's growing fear is that Iran wouldn't be afraid to digitally attack critical U.S. infrastructure or the American financial sector once it has the capability to do so.

"When it comes to most nation states, the overhanging threat of mutually assured destruction tempers any threat of all-out cyberwarfare," said Art Coviello, CEO of security firm RSA, a division of EMC(EMC). "What I worry about is that terrorists and nations that sponsor terror, such as Iran, that demonstrate cyberattack capabilities will be far more reckless than traditional adversaries."

Coviello said Iran's nuclear and cyber threats should be "tied for first" in the mind of the U.S. government.

If Iran does decide to take more serious action, it would be engaging in what's known as asymmetrical war. There are many more high-impact digital targets to attack in the United States than there are in Iran.

As a result, Secretary of Defense Panetta has said that the United States reserves the right to respond to a cyberattack with "kinetic force." In other words, the U.S. military could send physical troops into a nation that attacks it digitally.

Preparing for such an event is something the next administration will have to consider.

"Cyberattacks from Iran will be one of top policy questions that next president has to take a stand on," said Jarno Limnell, director of cybersecurty at Finnish security firm Stonesoft.

"If the U.S. is really saying that these attacks came from Iran, and if they are really attacking American financial systems, which is most vital part of its critical infrastructure, behind the United States' back, then how far will the U.S. let them keep going forward before this becomes a declaration of war?"